Global multinationals like Google claim that British courts have no
jurisdiction over them, explains John Reid.

“There is no right without a remedy.” Though not universally true, this maxim of equity is a cornerstone of English and American common law and core values. But remedies – judicial, political, or administrative – require institutions to establish, adjudicate, and enforce them. Without these, you either have no remedy, or vigilantism, or anarchy.

National governments historically have operated within confined jurisdictions: geographic, legal, and physical. Cyberspace is a new environment, neither geographic nor physical, created entirely by humans. As my colleagues and I at the Institute for Security and Resilience Studies at UCL warned in 2011, the transnational nature of cyberspace risks confounding, or even obliterating, national jurisdictions, including, in some respects, the sovereignty of individual countries.

One area in which this phenomenon is already becoming evident is the attempted application, by individual nations, of privacy-protective and other national laws to large, multinational companies providing cloud-computing services to consumers. Virtually all such companies, wherever their physical headquarters, operate globally, providing services to, and collecting data about and from, individual citizens of many nations. Companies’ reactions to court orders and lawsuits, at least from jurisdictions other than their “home” countries, have ranged from compliance, to defiance, to various legal stratagems to evade unfavourable jurisdictions.

A recent case in point is the group legal action filed in UK court by dozens of Apple Safari browser users, asserting that Google unlawfully circumvented Safari’s privacy settings without users’ consent to monitor their web usage. (The US Federal Trade Commission previously imposed a £14.4 million fine on Google for similar practices.)

Although the case is at an early stage, as reported in August Google is asserting to the UK courts, among other defences, that our courts have “no jurisdiction” to hear legal claims by British citizens for alleged violations of their privacy rights. Put simply, Google argues that, despite operating its “Google UK” subsidiary from London, it is immune from the UK legal process because its consumer services are provided by California-based “Google, Inc.” The company further argues that only courts in California have jurisdiction over such claims, forcing British citizens to litigate thousands of miles away from where they use Google and, possibly, causing the case to be heard not under UK privacy laws but US ones.

Related Articles

Whether or not Google prevails in this particular litigation, such jurisdictional claims raise several significant issues. These include:

Potential Deprivation of Rights. In the UK and the European Union, privacy is a fundamental human right. In the US, privacy rights exist, but are tempered by many competing interests, including national security, and, much more so than in Europe, such rights may be “waived,” possibly, as has been argued by Google and others in American courts, simply by an individual’s use of a service. So, at a minimum, if a US company can command such a “home ground advantage”, the rights of British citizens are likely to be diminished in quality and quantity, including by making their enforcement more costly and less convenient. In the worst case, the successful assertion by US companies in US courts of defences unavailable to them in the UK could deprive British citizens entirely of privacy rights supposedly enshrined in UK and EU law.

Gaming the System. A successful assertion that UK courts have no jurisdiction in the Google case would be likely to encourage many more multinational, cloud-computing-related companies to exploit the precedent and the system. As we already know well from recent reports from the Public Accounts Committee, some companies already employ such geographic shell game strategies to avoid taxation and to take advantage of favourable banking, corporate, regulatory, or other laws. Companies may likewise deliberately locate the provision of services in various locations for the specific purpose of defeating users’ privacy rights.

Challenges to National Sovereignty. At the most global level, the growth of massive, multinational, cloud-service providers will continue to pose direct challenges to many elements of national sovereignty, including the ability of a nation to enforce not just the privacy protections it promises its citizens, but e.g. antitrust and other economic regulations, or hate-crime laws. Such problems are likely to proliferate across all elements of national sovereignty, with the possible exception of military and security operations. National legislatures will become increasingly unable to pass laws that can be meaningfully applied to the Googles, Yahoos, Microsofts, and Amazons of the world. Prime ministers and presidents may be unable to assert successfully the historical prerogatives of national chief executives, including that of control of their own borders, at least with regard to the provision of goods and services.

Finally, global internet companies themselves may wish to consider this potential erosion of sovereignty as they develop their legal strategies. As I have argued before: “sovereignty … even matters to corporations when life beyond their niches reveals how fragile [established] firms can be, adrift in cyberspace.” Successful avoidance of regulation by sovereign nations may also deprive companies of needed protection from those same nations. In other words, Google and others, be careful what you wish for.

Lord Reid is a former Home Secretary and Defence Secretary. He is Chair of the Institute for Security and Resilience Studies at UCL and a Principal at The Chertoff Group, a global risk management and security advisory firm